Canada Cyber (Liability) Insurance Market Trends

GDPR in Europe or Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, are making companies move from a reactive approach to a proactive approach towards cybersecurity. Insurers are now seeing a greater focus on system security and the ability to safely store and use personal information. Canada was one of the first countries in the world to have federal legislation on mandatory notification for cyber/privacy breaches. Since Canadian legislation doesn't guide what companies should do at a minimum, there isn't a minimum standard for Canadian companies to follow. As a result, there is still a fair amount of cyber apathy in the Canadian context.

Both PIPEDA and GDPR certainly brought about an increase in the awareness of cyber policies as a method of risk transfer for businesses; however, with regulatory fines very few and far between - particularly for businesses that don't hold any significant personally identifiable information (PII), like manufacturers or construction, there hasn't been any meaningful claims activity for the everyday Canadian business. Less than 4% of the cyber claims are because of any third-party or regulatory action being brought forth. However, privacy laws have interacted with newer variants of ransomware that exfiltrate sensitive data to entice companies to pay their demands. Ransomware was always considered a severity-driven event long before data exfiltration, and it's easy to see why when you add up the business interruption costs for loss of profits per day and re-creating potentially sophisticated and complex networks completely from scratch - not to mention paying the demand itself, which some companies have little choice but to do without appropriate backups. Now, with confidential data at stake, it's brought in implications for having to conduct due diligence to determine whether data was viewed or exfiltrated by the criminals. As a result, businesses could have to bring in costly legal services to draft and issue an appropriate notification to customers under privacy guidelines.

Under PIPEDA, the Office of the Privacy Commissioner [OPC] can apply fines and penalties of up to $100k for a failure to report the circumstance if it involves information that could cause a 'real risk of significant harm to the affected individuals. So, mandatory reporting gives guidance on when organizations need to report and what they need to do after a breach. The bulk of Canadian businesses are small - 97.9%, according to the latest census data. A fine of $100k for a 12-person manufacturing business is going to have a much more material impact on the solvency of that business than a $100k fine against a Facebook, Google or Apple. So, small businesses in Canada should be aware that this legislation is suggesting that they take this seriously or face the consequences.